Rollout: F-Secure Client Security 7
New features and lower pricing make Client Security 7 a good fit for many businesses. But is that enough to entice enterprises to replace their existing security software?
June 6, 2007
When it comes to client security suites, McAfee and Symantec are Coke and Pepsi. They are ubiquitous, most enterprises already consume one or the other, and both generally provide the same experience. The goal for smaller vendors like F-Secure, Kaspersky Lab, Sophos and Trend Micro is to convince customers that there's a reason to try a third brand.
F-Secure has a two-pronged strategy: Address emerging threats and compete on price. Its Client Security 7 adds rootkit detection to a solid portfolio that includes anti-malware detection and removal, a stateful firewall, and intrusion prevention. Rootkits hide malicious programs from conventional security software, and their use is on the rise. However, technological advantages are fleeting; McAfee and Symantec have introduced rootkit detection to their enterprise client suites.
Price may be a more compelling argument: F-Secure offers similar features and a good management platform--F-Secure Policy Manager lets admins push clients to PCs, create and configure policies, and report on events--at a fraction of the cost of a product from the Big Two.Hidden Problems
Rootkits are used to hide the signs of compromise or infection by manipulating user-mode programs (such as Windows Explorer) or kernel-level APIs (such as the low-level interface Explorer uses to access a directory listing) so that they cannot see certain files. Sony got lots of bad press for using rootkit-like technology to hide the DRM (digital rights management) software on some of its music CDs (and F-Secure and security researcher Mark Russinovich can each claim credit for blowing the whistle on Sony). More alarming, malware authors increasingly use rootkit technology to hide malicious software on compromised machines.
Blacklight, F-Secure's rootkit-detection software, is well-integrated with the rest of the client suite. It works by interrogating the OS in a number of ways for signs that a program may be manipulating registries, APIs or system calls. It runs during full scans of the computer, and the presence of rootkits is reported in the same manner as viruses and spyware. Blacklight quickly cleaned up our sample rootkits and deleted or quarantined the files.
Security Suite ComparisonClick to enlarge in another window |
The Good And The BadF-Secure's product also performs well on a number of other fronts. When we installed it in our University of Florida Real-World Labs®, it quickly identified the viruses and spyware we had planted on our systems, prevented us from downloading viruses from a Web site, and blocked network probes and attacks.
The firewall feature includes a location-aware capability, with which IT can adjust settings depending on the computer's whereabouts. The software can let a user enable file and printer sharing while at the office, for instance, but restrict it everywhere else. We also centrally configured network access for applications, which prevents rogue apps and malware from communicating with command systems on the Internet.
F-Secure Client Security includes a behavioral-based HIPS (host intrusion-prevention system) called DeepGuard. As in other security suites, this system is a double-edged sword--DeepGuard found and blocked port scans and other malicious traffic, but also warned us about some unusual, but harmless, traffic.
To its credit, F-Secure's product can log packet data, which helps security administrators determine if traffic is really malicious. When Client Security showed a steady stream of intrusion attempts from one of the servers on our network, we had it capture packet data, then loaded the file into Wireshark, where we discovered the "attacks" were just harmless Novell Cluster Services heartbeat broadcasts. Although we could use the management interface to configure a firewall rule to ignore this type of traffic from this host, a simple button that would have let us tell the client to stop alerting on this particular traffic would be welcome.
Client Security also detected a number of programs on our systems that it classified as "riskware." This is software, such as a network scanner or system-diagnostic tool, that isn't necessarily bad, but could be used by an attacker or malicious employee to compromise security. The presence of such programs is often a first sign of trouble. However, Client Security didn't recognize a Serv-U FTPd server we installed as riskware; it should have. Serv-U FTPd is used almost exclusively by file traders to distribute unlicensed copyrighted material. F-Secure's riskware default settings could be more comprehensive.Keeping Track
The F-Secure Policy Manager provides an almost dizzying array of information and configuration options for the clients. But a convenient tabbed grouping of functions--installation, alerts, status--keeps it manageable. Policy Manager automates downloading and distributing detection updates and includes dedicated proxy software that can be installed at remote sites to reduce the load on WAN links. As you'd expect, Policy Manager lets administrators create group policies with different settings depending on the group. Alerts about viruses, rootkits and network attacks found on the clients are reported to the console and can be sent to an e-mail address, a syslog server or SNMP console.
The Policy Manager console can be used to configure a custom version of the client software, then push it to other networked computers. It also can build an installer package that you copy to your clients and install manually. However, then you must import the clients to the Policy Manager's control--an extra step that seems unnecessary. Policy Manager tracks some basic information on clients, but doesn't include the breadth of inventory information that McAfee's ePolicy Orchestrator collects, such as disk utilization.
F-Secure Client Security 7 is a capable security suite that is nicely integrated both on the client and management side--but so is most of the software in this class. An enterprise that has deployed a client-protection suite is unlikely to switch to F-Secure based simply on features. So F-Secure's greatest advantage is price. It costs $29.95 per PC for 100 licenses--a per-PC savings of more than $60 compared with a similar suite from McAfee. n
Avi Baumstein is an information security analyst at the University Of Florida's Health Science Center. Write to him at [email protected].0
You May Also Like